New User Account

Date: 05/04/02

Date: Sat, 4 May 2002 06:02:13 -0700

We are currently exploring security options for new users
on a fresh W2K install (All NTFS, SP2 has been applied)
and notice that when we create a new user account who is a
member of the Users group only, the account is denied
access when signing on for the first time locally. The
message is ". . . cannot load user profile. . ." If we
give this user explicit security rights to the Documents
and Settings Folder we can then sign on, and since the
user profile has been created we can subsequently sign on
even if we take the explicit right away. If we only gave
the Users Group rights to this folder we would not have
been allowed to sign on.

If we had made the New User a member of the Power Users
group then we would also have been able to sign on without
doing anything special. Here again, if we were to remove
the New User from the Power Users group, it would have no
effect on subsequent sign-ons because the new profile
would have already been created.

If possible, can someone confirm that this is the intended
behavior of W2K (i.e., profiles for new users are NOT
always loadable by the OS)? By the way, giving security
rights to the local drive alone did not bypass the ". . .
cannot load user profile . . ." message. We had to either
add the user to the Power Users group or explicitly add
them in the Security Tab of the Documents and Settings
Folder. Thanks for any help/comments.